How will CADA set the detailed rules for sovereignty audits?

Summary As proposed, the Cloud and AI Development Act (CADA) does not prescribe the step-by-step methodology for sovereignty audits in its primary text. Instead, Article 20(9) explicitly empowers the Commission to adopt delegated acts to supplement the Regulation with detailed rules on the performance of audits. These future acts will define procedural steps, auditor technical competences, auditing methodologies, and report templates. Providers seeking Union assurance levels 2, 3, or 4 must prepare for these forthcoming secondary rules, which will strictly define how independent auditing organisations verify compliance with the criteria in Annex II and the evidence listed in Annex III. Until these acts are adopted, the primary text serves as the baseline, but the granular mechanics remain to be determined.

Detail

The Cloud and AI Development Act (CADA) establishes a robust four-tiered sovereignty framework for cloud computing services, known as Union assurance levels. While the primary text of the proposal sets the high-level criteria for these levels in Annex II and lists indicative audit evidence in Annex III, it deliberately leaves the granular mechanics of the audit process to secondary legislation. This legislative design allows the regulatory framework to adapt to rapid technological changes in cloud infrastructure and AI without requiring a full legislative re-amendment of the Regulation itself.

The Core Mechanism: Article 20(9) and Delegated Acts

The definitive mechanism for defining audit rules is found in Article 20(9) of the CADA proposal. This provision grants the Commission specific powers to flesh out the operational details of the audit regime. The text states:

"The Commission is empowered to adopt delegated acts in accordance with Article 45 to supplement this Regulation by laying down rules on the performance of audits on the procedural steps, rules for auditing organisations and their technical competences, auditing methodologies and templates for the audit reports."

This delegation is critical for the ecosystem's stability. While CADA mandates that independent third-party audits must occur for Union assurance levels 2, 3, and 4, the how—the specific technical and procedural execution—is reserved for the Commission. These delegated acts will likely cover four distinct pillars:

1. Procedural Steps: The acts will define the exact timeline, phases, and interaction points between the cloud service provider, the auditing organisation, and the national competent authority. This includes the sequence of evidence submission, the duration of the audit, and the formal notification protocols.
2. Technical Competences: To ensure audits are rigorous, the acts will specify the qualifications, certifications, or experience levels required for auditing organisations and their individual staff. This ensures auditors possess the specific expertise needed to verify complex cloud infrastructure, software supply chains, and data residency controls.
3. Auditing Methodologies: The Commission will standardize the methods for verifying criteria. This could include specific testing protocols for remote access vulnerabilities, standardized validation procedures for Software Bills of Materials (SBOMs), or technical demonstrations required to confirm data residency claims.
4. Report Templates: To facilitate the recognition process under Article 17, the acts will likely mandate standardized formats for audit reports. This ensures consistency across the Union, allowing national competent authorities to compare and validate audit opinions efficiently.

Refining the Evidence: Article 21(1) and Annex III

In parallel with the general audit rules, Article 21(1) provides a specific power to amend the evidence requirements. It states:

"The Commission is empowered to adopt delegated acts in accordance with Article 45 to amend Annex III by laying down the necessary evidence needed to assess the audit criteria under Annex II."

Annex III currently lists indicative audit evidence that auditing organisations should request from providers. It covers critical areas such as Union establishment (Criterion A), location of infrastructure (Criterion B), and data localisation (Criterion C). However, the Annex explicitly notes: "This Annex is indicative and does not limit the evidence that may be requested or considered by the auditing organisations."

The delegated acts under Article 21(1) will likely transform this indicative list into a more prescriptive checklist. They will specify exactly which documents, system logs, or technical demonstrations are legally necessary to prove compliance with each criterion in Annex II. This refinement aims to reduce ambiguity for providers and ensure that auditors have a clear, legally backed standard for evidence collection.

Baseline Requirements for Auditing Organisations

While the detailed methodology is deferred to secondary legislation, CADA's primary text establishes strict baseline requirements for auditing organisations in Article 20(4). These rules are designed to guarantee the independence and objectivity of the audit opinion. Key constraints include:

• Independence from Non-Audit Services: Auditors cannot have provided non-audit services related to the matters audited to the provider in the 12-month period before the audit, nor can they commit to providing such services in the 12-month period after the audit.
• Rotation: To prevent long-term entanglement, auditors cannot have provided auditing services under CADA to the same provider in the 10-year period before the audit.
• Fee Structure: Fees for the audit cannot be contingent on the result of the audit.
• Expertise: Auditors must have proven expertise, technical competence, and capabilities in auditing cloud computing services, along with proven objectivity and professional ethics.

The forthcoming delegated acts under Article 20(9) will likely elaborate on how these independence checks are verified, documented, and enforced by national competent authorities.

The Audit Process and Outcomes

Under Article 20(1), providers seeking Union assurance levels 2, 3, or 4 must undergo independent third-party audits at their own expense. The audit must result in a substantiated report and a formal audit opinion. The opinion can take one of three forms:

• Positive: All evidence shows that the provider complies with the audit criteria and obligations.
• Negative: The auditor considers that the provider does not comply with the criteria.
• Qualified/Unqualified: If the auditor cannot reach a conclusion on specific aspects, the report must explain the reasons why.

Crucially, a negative opinion or a failure to meet the requirements of a lower assurance level precludes recognition at higher levels. The audit report must be substantiated, including a declaration of interests, a description of the methodology applied, and, in the case of a negative opinion, operational recommendations for remediation.

What this means for you

For CTOs, architects, compliance officers, and SMEs, the reliance on delegated acts for audit rules creates a period of regulatory uncertainty but also a strategic opportunity to prepare proactively.

For Cloud Service Providers

1. Monitor Delegated Acts Closely: The specific evidence you need to gather will be defined by the delegated acts under Article 20(9) and Article 21(1). Until these are adopted, use Annex III as your baseline for internal documentation and control frameworks, but expect the final requirements to be more detailed.
2. Prepare for Rigorous Evidence Collection: Annex III already requires detailed evidence, such as complete SBOMs, data flow diagrams, access logs, and proof of legal separation from third-country entities. Ensure your internal systems can generate this data efficiently and that your data residency controls are technically enforceable and auditable.
3. Select Auditors Early: Given the strict 10-year rotation rule in Article 20(4), the pool of eligible auditors for a specific provider may be limited initially. Engage with potential auditing organisations early to understand their capabilities, their readiness for the upcoming methodologies, and their independence status.
4. Document Independence: Ensure your contracts with potential auditors clearly outline independence commitments, especially regarding non-audit services, to avoid disqualification later.

For SMEs

SMEs may face higher relative costs for these audits. However, Article 17(3) provides a significant derogation for Union assurance level 1: SMEs issuing an EU statement of conformity for Level 1 do not need prior recognition by a national competent authority; their statement is directly and automatically recognized in all Member States. For higher assurance levels (2, 3, or 4), SMEs should look for support from the network of Experience and Acceleration Centres for AI (Article 5) or national competent authorities to navigate the audit process and potentially reduce costs through shared resources.

For Architects

Architects must design systems that are "audit-ready" from day one. This means:

• Immutable Logs: Ensuring access logs, data flow records, and change management logs are tamper-proof, time-stamped, and easily retrievable for auditors.
• Clear Data Residency: Implementing technical controls that prevent data from leaving the Union unless explicitly required by the customer, and documenting these controls thoroughly with technical evidence.
• Supply Chain Transparency: Maintaining up-to-date SBOMs and documenting the origin, licensing, and maintenance status of all software components, especially those from third countries, to satisfy Annex II criteria on software supply chains.

Common misconceptions

Misconception 1: The audit methodology is fixed in CADA. Reality: CADA sets the criteria (Annex II) and indicative evidence (Annex III), but the methodology for the audit itself is explicitly left to delegated acts under Article 20(9). Providers cannot rely on a single static checklist; they must prepare for evolving procedural rules defined by the Commission.

Misconception 2: Any auditor can perform a CADA sovereignty audit. Reality: Auditing organisations must meet strict independence and competence requirements under Article 20(4). They must be free from conflicts of interest, have no recent non-audit relationships with the provider (12-month lookback/forward), and possess specific technical expertise. The forthcoming delegated acts will further define these competences.

Misconception 3: Union assurance level 1 requires a third-party audit. Reality: Only Union assurance levels 2, 3, and 4 require independent third-party audits (Article 20(1)). Level 1 relies on a conformity self-assessment and an EU statement of conformity (Article 19). However, even for Level 1, national competent authorities can request evidence, and the criteria in Annex II still apply.

Misconception 4: Annex III is an exhaustive list of required evidence. Reality: Annex III is explicitly "indicative" and does not limit the evidence an auditor may request. Auditors have the discretion to seek additional information necessary for a comprehensive assessment (Annex III, second paragraph). The delegated acts under Article 21(1) will likely clarify the minimum required evidence, but providers should be prepared for broader requests based on specific risk profiles.

Related

• CADA Implementing Acts: Which Rules Will Be Set by Secondary Legislation?
• How will the Commission set the procedure for the CADA central repository?
• CADA Fees: How Procurement and EuroCloud Costs Will Be Set
• Will existing cloud contracts be affected when CADA starts to apply?
• When will the Cloud and AI Development Act (CADA) be reviewed?

This is general information about a draft EU regulation, not legal advice.